Google Book Privacy Policy: Good Start, Much More Needed

Google Book Privacy Policy: Good Start, Much More Needed

Late yesterday afternoon, September 3, 2009, Google finally issued a privacy policy for Google Books, both the current service and the extensive new book-related services they hope to have a federal court approve in October.

While there are some good things in the policy — many that EFF and its coalition partners the ACLU of Northern California and the Samuelson Clinic at Berkeley Law School have long been urging Google to do — it is still falls well short of the privacy protections that readers need, both substantively and in whether it will be permanent and readily enforceable by readers. Our coalition on behalf of authors and publishers seeking to protect reader privacy will still be filing an Objection to the Settlement in Court on Tuesday, September 8.

First, and most importantly, the privacy policy fails to address our core concerns about the standards for disclosure of reading habits to the government and private litigants.

What we asked Google to do was to insist that the most privacy-protective standards be met before disclosing someone's reading history. The position Google has taken instead is that it will follow the few state laws that plainly apply to it already — laws that would bind Google regardless of whether or not Google also wrote about them in its privacy policy. As for the readers living elsewhere, Google says that it will "continue its history of fighting for high standards to protect users," which is just an aspirational statement, not an enforceable commitment. Google needs to say "come back with a warrant" when law enforcement or civil litigants come knocking for their treasure trove of reader information. This policy does not.

Second, the privacy policy is procedurally insufficient to protect readers and authors who depend on reader privacy. While a privacy policy could be written to create enforceable promises, Google has issued a "website business as usual" privacy policy. Those policies can be changed at any time and may be unenforceable by readers whose privacy has been violated.

Given the important free expression interests at stake and the long history of protecting reader privacy by libraries and bookstores, readers need a durable guarantee of protection enforceable by a court. This is especially the case since Google needs court approval to create this massive new set of book services that include searching, browsing, lending, purchased access and even reading in the privacy of your own home.

Third, Google also failed to include many other items in the list of privacy demands we published in July, including that the policy:

fails to require Google to delete logging information about users within 30 days, or any other reasonably short period of time.

fails to ensure that readers will always be able to use anonymity services like the Tor network, proxy servers and anonymous VPN providers to access Google Book Search.

does not offer registered users who purchase texts any equivalent of a "hiding books under their bed" to protect against parents, family members or other local users who might scrutinize their reading (we suggested several ways that Google might implement a feature like this, and hope that Google will eventually do so)

fails to provide a robust, easy-to-read notice of and link to Google Book Search privacy provisions on the Google Book Search pages themselves, rather than tucked away in a privacy policy.

fails to address or in any way limit the use of watermarks to track users of Google Book Search.

fails to promise to annually publish online, in a conspicuous and easily accessible area of its website, the type and number of requests it receives for information about Google Book Search users from government entities or third parties.

While the Google Books Privacy Policy is not sufficient to protect reader privacy, it does contain some provisions that are good news for readers. For instance, it is welcome news that Google plans to ensure that credit card companies don't know what you read and give you the ability to delete books and hide your book purchases from prying eyes. Google says it will build in the "ability to limit the information available to credit card companies and enable you to delete or disassociate the titles of books purchased from your Google account." Google also does not plan to require sign-in to a Google Account for access to browsing and preview services, which will help protect the privacy of those looking for books.

We're pleased that Google is taking these good positions, among others, on issues we raised during our discussions with them over the summer. But to do right by readers — and the authors and publishers who stand with them for reader privacy — Google needs to do more.

Related Updates

The full weight of U.S. policing has descended upon protesters across the country as people take to the streets to denounce the police killings of Breonna Taylor, George Floyd, and countless others who have been subjected to police violence. Along with riot shields, tear gas, and other crowd control...

Your phone is your life. It’s where you communicate, get your news, take pictures and videos of your loved ones, relax and play games, and find a significant other. It can track your health, give you directions, remind you of events, and much more. It’s an incredibly helpful tool, but...

EFF has joined a broad coalition of civil liberties, civil rights, and labor advocates to oppose A.B. 2261, which threatens to normalize the increased use of face surveillance of Californians where they live and work. Our allies include the ACLU of California, Oakland Privacy, the California Employment Lawyers Association, Service...

In the wake of nationwide protests against the police killings of George Floyd and Breonna Taylor, we urge protestors to stay safe, both physically and digitally. Our Surveillance Self Defense (SSD) Guide on attending a protest offers practical tips on how to maintain your privacy and minimize your digital...

With states beginning to ease shelter-in-place restrictions, the conversation on COVID-19 has turned to questions of when and how we can return to work, take kids to school, or plan air travel.Several countries and U.S. states, including the UK, Italy, Chile, Germany, and California, have expressed interest in...

When it comes to surveillance of our online lives, Internet service providers (ISPs) are some of the worst offenders. Last year, the state of Maine passed a law targeted at the harms ISPs do to their customers when they use and sell their personal information. Now that law is...

COVID-19, and containment efforts that rely on personal data, are shining a spotlight on a longstanding problem: our nation’s lack of sufficient laws to protect data privacy. Two bills before Congress attempt to solve this problem as to COVID-19 data. One is a good start that needs improvements. The other...

In a landmark decision, the German Constitutional Court has ruled that mass surveillance of telecommunications outside of Germany conducted on foreign nationals is unconstitutional. Thanks to the chief legal counsel, Gesellschaft für Freiheitsrechte (GFF), this a major victory for global civil liberties, but especially those that live and...